What many business leaders today are just beginning to understand is that the software development process can support higher-level business strategy and competitive advantage. How? While software development may have been a mystery to leaders in the past, applications are driving so many more of today’s business functions. Now it is critical that the software powering those applications be secure, continuous and frictionless.

Security vulnerabilities and lengthy delays in fixing them can lead to increased risk in the form of breaches, lost customers and slower, more costly operations. A recent New York Times feature on Facebook argues that many of the troubles the social media giant has had this year, including a major data breach and poor management of fake news, are the result of decisions from top executives to delegate or deprioritize security. Now the company is facing questions from federal regulation bodies, hefty fines and the lost trust of its users.

On the other hand, some companies have fully embraced the concept of developing secure software by having development and security teams work closely together, also known as DevSecOps. At Veracode, our annual State of Software Security (SoSS) report (via eWeek) revealed companies that implement this DevSecOps methodology are fixing their software vulnerabilities more than 11 times faster than competing businesses. These organizations are able to innovate faster, save costs and become more agile in dealing with news risks. It all starts with recognition from business leaders that integrating security into their development processes is important.

Why Does Application Security Matter?

Modernizing software development programs to produce more secure software is an investment. It requires training developers on application security techniques, potentially buying new tools and restructuring development processes. To justify an investment like this, it is important to understand why it is worth doing.

There are two sides to the argument for investing in application security. The first is risk reduction, and the other is a competitive advantage. Both are high-level components relevant to the overall strategy of the business.

Results from the SoSS report show that more than 85% of all applications have at least one vulnerability, and more than 70% of all flaws remain one month after discovery. Additionally, roughly 1 in 10 applications have at least one very high severity flaw, which are typically the ones easiest for attackers to exploit.

It can be easy to dismiss or overlook security flaws like these as merely code problems for the tech staff, but seeing each vulnerability as a point of risk that opens the company up to potential breach activity and lost customers puts things into perspective. To put a finer point on it, the average velocity at which organizations are fixing application security flaws isn’t just a metric for the performance of an application security program -- it is also a benchmark for measuring the risk posed to the business by its software applications.

Risk reduction is not the only benefit of application security programs. One study by CA Technologies (via ZDNet) shows that the highest-performing organizations in DevOps and Agile processes "are seeing a 60% higher rate of revenue and profit growth and are 2.4 times more likely than their mainstream counterparts to be growing their businesses at a rate of over 20%."

How To Benefit From Secure Software Processes

The key to successful DevSecOps programs is to take an incremental approach to application development. Adopting this approach means more frequent scanning for security flaws, which means they are identified earlier and can be remediated more quickly.

Indeed, the most successful DevSecOps teams are scanning the applications they build on a daily basis during the development process. This means that security checks and development can all happen at once without waiting for any team that may act as a bottleneck to a continuous release. Unsurprisingly, our report revealed that companies that scan their applications the most frequently are the ones that have the highest flaw-fix velocity. That is, they resolve their security flaws sooner after the initial discovery, thus reducing overall risk.

To make this all happen, business leaders need to communicate to their development teams that security and DevSecOps processes are a priority for the business. They can do this by offering trainings on basic security techniques for their developers. They should also look for volunteers who can act as security champions. These team members, embedded into developer teams, should aim to ensure that everyone is considering the security implications of the decisions they make. They may not know everything about application security, but asking the right questions can help prevent critical issues.

There was a time when the minutiae of software development was not worth worrying about for top-level executives. But as more companies (whether or not they are traditionally technology companies) are being dragged into the spotlight for security issues, it is important to get software security right from the start. And that means starting from the top.